- OWASP ZAP
- The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
- ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
- Burp Proxy
- Burp Proxy is an intercepting proxy server for security testing of web applications it allows Intercepting and modifying all HTTP(S) traffic passing in both directions, it can work with custom SSL certificates and non-proxy-aware clients.
- Firefox HTTP Header Live
- View HTTP headers of a page and while browsing.
- Firefox Tamper Data
- Use tamperdata to view and modify HTTP/HTTPS headers and post parameters
- Firefox Web Developer
- The Web Developer extension adds various web developer tools to the browser.
- w3af
- w3af is a Web Application Attack and Audit Framework. The project’s goal is finding and exploiting web application vulnerabilities.
- Chrome Web Developer
- The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Chrome.
- HTTP Request Maker
- Request Maker is a tool for penetration testing. With it you can easily capture requests made by web pages, tamper with the URL, headers and POST data and, of course, make new requests
- Cookie Editor
- Edit This Cookie is a cookie manager. You can add, delete, edit, search, protect and block cookies
- Session Manager
- With Session Manager you can quickly save your current browser state and reload it whenever necessary. You can manage multiple sessions, rename or remove them from the session library. Each session remembers the state of the browser at its creation time, i.e the opened tabs and windows.
- OllyDbg
- "A windows based debugger used for analyzing buffer overflow vulnerabilities"
- Spike
- A fuzzer framework that can be used to explore vulnerabilities and perform length testing
- Brute Force Binary Tester (BFB)
- A proactive binary checker
- Metasploit
- A rapid exploit development and Testing frame work
- NGS Typhon
- HCL AppScan
- Burp Intruder
- Acunetix Web Vulnerability Scanner
- MaxPatrol Security Scanner
- Parasoft SOAtest (more QA-type tool)
- N-Stalker Web Application Security Scanner
- SoapUI (Web Service security testing)
- Netsparker
- SAINT
- QualysGuard WAS
- IndusFace WAS
- Fortify WebInspect
- Checkmarx CxSuite
- GrammaTech
- ITS4
- ParaSoft
- Virtual Forge CodeProfiler for ABAP
- Veracode
- Peach Fuzzer
- Burp Suite
- Fortify SCA
Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.